COVID-19: Data protection issues for UK employers

As organisations refocus resource to mitigate the impact of the COVID-19 outbreak and implement measures to safeguard the wellbeing of their employees, it is inevitable that new compliance challenges under the General Data Protection Regulation 2016/679 ("GDPR") and Data Protection Act 2018 ("DPA") will arise. 

Our recent work helping clients navigate these challenges has highlighted some common issues including the need to assess carefully the lawfulness of processing health data, such as information about employees' symptoms or medical records, where these would not ordinarily be processed, and ensuring that remote working measures enable business as usual obligations, such as responding to data subject rights requests, to continue to be met as far as possible. The Information Commissioner’s Office (“ICO”) recently issued guidance to UK businesses on some of these issues to help businesses navigate compliance in these unprecedented times.

This article answers some of the key data protection queries that organisations are asking as the pandemic develops and its impact on businesses unfolds. 

Can I process my employees' personal data as part of my COVID-19 containment measures?

You may need to process personal data and sensitive health data in order to implement COVID-19 containment measures in accordance with the recommendations of Public Health England. In this context, several lawful bases for processing personal data under Article 6 GDPR and conditions permitting the processing of special categories of personal data, such as health data, under Article 9 GDPR may be available to you.

In particular, you may be obliged to protect the health of your employees under Member State legislation. If you are a UK employer, for instance, you have a duty to provide a safe and secure working environment under Section 2 of the Health and Safety at Work Act 1974 (the "1974 Act"). Under Article 6 GDPR, compliance with a legal obligation such as this constitutes a lawful basis for processing personal data, provided that you can show that the processing is necessary to perform your legal obligation.

Health data is a special category of personal data under the GDPR and, as such, a specific condition set out in Article 9(2) GDPR must also be satisfied before you can lawfully process it. Article 9(2)(b) GDPR permits special categories of personal data to be processed if it is necessary for the performance of legal obligations in connection with employment, social security or social protection. Therefore, if you are a UK employer you may be able to rely on your duty under the 1974 Act to protect your employees' health as the basis under Article 9(2) to process health data as part of your COVID-19 monitoring measures. 

You should, however, be mindful that if you look to rely on Article 9(2)(b) GDPR, you must have an appropriate policy document in place at the time you process the data to meet the requirement of paragraph 1 of Schedule 1 to the DPA. 

If you do process your employees' health data, you should also bear in mind the following general GDPR principles which will continue to apply:

• All personal data must be processed in a secure manner (clearly especially important for your employees' health data). 
• Personal data must be stored confidentially. Although you should disclose cases of the virus amongst your workforce, you should avoid disclosing the identities of your infected employees unless there is a clear justification for doing so.
• You should provide your employees with easily accessible and easy to understand information about the purpose of collecting their data. 
• You should only collect the minimum necessary amount of personal data required for your COVID-19 containment measures. This can include asking employees whether they have visited certain countries or are experiencing COVID-19 symptoms (which the ICO has specifically stated it is reasonable to do).
• You should document decisions about your COVID-19 containment measures that involve processing your employees' personal data.

What happens if I am late in responding to an information rights request? 

The ICO is currently informing data subjects that they may experience delayed responses to information rights requests that are made during the outbreak. 

The ICO has further clarified that, while it cannot extend statutory timescales for responding to information rights requests, it will not "penalise organisations that [it] knows need to prioritise other areas or adapt their usual approach during this extraordinary period." So it seems, for the time being at least, the ICO may take a pragmatic approach to information requests, provided you can demonstrate you are taking all reasonable measures to continue to meet the statutory response deadline. 

Can I share personal data, including my employees' health data, with public authorities?

The ICO has stated that organisations may share the personal data, including health data, of specific individuals with public authorities, but only if necessary and subject always to ensuring appropriate safeguards are implemented. 

Under Article 6 GDPR, organisations may process personal data where doing so is necessary to the vital interests of the data subject or of another natural person. Additionally, Article 9(2)(g) GDPR provides that processing special categories of personal data, such as health data, is permissible where necessary for substantial public interest, subject to having a basis under Member State law. Therefore, although organisations can share personal data with public authorities, they should only do so where it is absolutely necessary, such as during an emergency.

What security measures should I have in place for my employees working from home during the pandemic?

If you usually allow your employees to work from home you are likely to already have suitable security measures in place to cater for remote working during the pandemic. 

However, if you are a business that does not ordinarily allow employees to work from home, such as a call centre or a provider of outsourced regulated activities, you may not have appropriate security measures in place. In these circumstances you might benefit from carrying out a Data Protection Impact Assessment (often referred to as a DPIA). If you carry out a DPIA and subsequently identify a risk that you cannot mitigate, whether from remote working or the deployment of other business continuity measures, you must notify the ICO immediately.

With thanks to Tom Brookes and Satya Doraisamy for their contributions.